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Meeting Objectives 


■ Review Privacy & Security Rules 

■ Recognize the National Landscape 

■ Discuss Current Internal Activity 

■ View CCH Measures for Compliance 
o Proactive 

o Reactive 
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The "Alphabet Soup" of Privacy 


■ The Health Insurance Portability and Accountability Act 
o 2003 - HIPAA Privacy Rule 

o 2005 - HIPAA Security Rule 

■ Patient/member privacy rights related to health data 

■ Key Terms: 

Protected Health Information (PHI) and 
Electronic Protected Health Information (ePHI) 

■ CCH has a responsibility to safeguard PHI and ePHI 
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REUTERS 


TECHNOLOGY NEWS OCTOBER 19, 2018 / 4:56 PM / 6 DAYS AGO 


U.S. CMS says 75,000 individuals' files 
accessed in data breach 


(Reuters) - The U.S. Centers for Medicare & Medicaid Services (CMS) said on Friday 
it was responding to a data breach that exposed the files of about 75,000 individuals. 


HEALTH 

ITSECURITY 

xtelligent healthcare media 

March 13, 2018 
By Elizabeth Snell 

A New York surgery center reported a 
potential data breach stemming from a 
server being accessed by an unauthorized 
user. 


TULsiWORLD 

Data breach at OSU Center for Health Sciences may 
have exposed Medicaid patient information 


Modern 

Healthcare 

The leader in healthcare business news, research & data 


From Staff Reports Jan 5, 2018 

Nearly 280,000 Medicaid patient records breached 
in Oklahoma State University Center for Health 
Sciences. 

Des Moines Register 

PART OF THE USA TODAY NETWORK 

UnityPoint warns 1.4 million patients their information 
might have been breached by email hackers 


Anthem to pay $16M in record data 
breach settlement 


By Erica Teichert | October 16, 2018 

Anthem has agreed to pay the federal government $16 million in a settlement 
over its 2015 data breach that hit nearly 79 million people, HHS said Monday. 

The agreement is by far the largest settlement reached by HHS' Office for Civil 
Rights for a Health Insurance Portability and Accountability Act breach. Hackers 
stole the names, birth dates, Social Security numbers, home addresses and other 

personal information in the 2015 cyberattack. ^ 
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Tony Leys, Des Moines Register Published 3:42 p.m CT July 30, 2018 | Updated 4:22 p.m. CT July 30, 2018 


As part of the settlement, Anthem agreed to a corrective action plan where it will 
conduct a risk analysis and fix any deficiencies. HHS will oversee Anthem's work. 





Privacy Allegations Received by Compliance 

F-YTD 238 Issues Attributed to HIPAA 
26% of the Total Issues Received F-YTD 


Of the 238 Privacy 
allegations received, 
13% or 30 incidents 
were validated privacy 
breaches 



(Determination of no breach and 
guidance requests, e.g. Contract and 
Business Associate Agreement, data 
sharing, subpoena requests) 


O 


COOK COUNTY -HEALTH 
& HOSPITALS SYSTEM 

CC-HHS 

Audit & Compliance Committee of the Board I November 15, 2018 


5 























Security Intelligence 


Intrusion Events 
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Sample Reports Received Monthly 2,000,000 


Connection Events 


Access Control Rule 


Connections 



Malware File Monitor 

13,081,019 

Default Action 

3,529,931 


1,982,794 

CCHHS App Allow 

1,033,422 

CCHHS Geo Block Dest 

320,328 

CCHHS App Block 

314,686 

Guest_App_Access 

287,438 

CCHHS URL Allow 

187,458 

SMB Allow 

96,590 

CCHHS Geo Block Source 

19,507 

SMB Block 

16,343 

CCHHS URL Block 

13,763 

ITunes_Allow 

6,479 

Social Networking APP Allow 

1,111 

Social Networking URL Category 

722 

Ransomware Block 

635 

ITunesJJserbasedAccess 

29 

Teamviewer_Allow 

27 

Teamviewer_Userbased_access 

20 

SoftPath App Traffic 

13 

Network Geo Dest Bypass 

6 

CCHHS Remote Storage Allow 

5 

CCHHS Instant Messaging Allow 
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CCH Proactive & Reactive Measures 


Security Tools 

■ Intruder Prevention (Cisco Firepower) 

■ MS Office 365 (Recent Optimizations) 

■ Infoblox Secure DNS (How it helps with Phishing Attacks) 

■ Cerner 724 Read-Only upgrade to 724 Access Downtime 
Viewer (Business Continuity Plan/Disaster Recovery) 

■ Cerner Instant Access (Security and Authentication) 
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Additional Security Controls 


■ Updated privacy & security training 

■ Adapted policies to evolving environment including 

o Mobile Device Management 
(also implementing controls) 

■ Developed vendor questionnaire 




Future Initiatives 

Optimizing medical device management 


■ Developing an anti-phishing program 

■ Enhancing asset control through IT Service Management 
(ITSM) 

■ Requiring multi-factor-authorization (remote access) 




